Open source has become risky business for companies that fail to manage software being downloaded by users. Finding help to keep things from getting out of control, however, is another challenge entirely.

There are risks (including legal ones) associated with using multiple open source products within an organization, but those risks are often ignored by both vendors and users. One of the problems is there has been very little incentive on the part of the vendors to develop products, said Michael Goulde, senior analyst at Cambridge, Mass.-based Forrester Research Inc.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

We were just getting free software off the Internet, and that raises some concerns. Bill Crowellformer CIOOregon Department of Human Services

"Penetration is spreading, but it is not displacing," Goulde said. "It's a small minority of what's actually in use, so the market opportunity isn't there. It hasn't hit yet."

But that doesn't mean there aren't products out there. Raven Zachary, research director at The 451 Group, a New York-based research firm, said some vendors that offer open source support or maintain certified repositories of open source technology see an opportunity in creating tools that enable enterprises to manage open source like a portfolio.

He pointed to OpenLogic Inc. and its OpenLogic Enterprise product, and SourceLabs Inc. and its new Open Source Management System (OSMS). In addition to red flagging problematic open source products, these vendors also put in place basic governance and workflows that helps companies track what's being used and how it's used.

Got to have it

Bill Crowell, the former CIO of the Oregon Department of Human Services, said governance of open source technology is "absolutely critical."

Crowell said one of his peers, a CIO of a transportation agency, did an inventory of open source technology in his organization. He found 5,000 instances of open source in use -- and that was based on a scan of 10-15 known pieces of open source technology identified by researchers as having arrived in enterprises.

Looking back on his time with the Oregon Department of Human Services, Crowell said it was critical to do an inventory of usage by various departments, to have a "better idea of what was being used where and why, and whether or not open source was something that had, quite frankly, become significant."

Another major objective was to look at both the procurement and legal issues of acquiring open source technology because, in effect, the department wasn't procuring anything. "We were just getting free software off the Internet, and that raises some concerns," he said.

Kim Weins, vice president of marketing at Broomfield, Colo.-based OpenLogic, described several risks associated with using open source without proper controls.

"There are two ways to get sued over open source," Weins said. She said some organizations that adopt open source at the grass-roots level integrate intellectual property with open source components without getting permission from the owner of the intellectual property. Those copyright owners can sue the developer who misuses this technology, and they can sue the users of such technology.

Weins said the licenses for open source technology are also easy to violate without proper governance.

"There are unique aspects of open source licenses that carry with it some rather unique requirements," Goulde said.

She said there is also a downtime risk with open source. Organizations need to know how to deal with open source technology when it fails. The final risk is with compliance. With workflow in place to enforce open source polices, organizations can ensure that they have the proper controls in place to satisfy any applicable regulatory requirements.

"It's about ensuring that people are using open source components in a way that is complying with IT policy," Goulde said. "Ensuring that software is stored appropriately, protected appropriately, and access rights are made appropriate."

Alex Fletcher, lead technology analyst at Silver Spring, Md.-based open source research firm Entiva Group Inc., said creating a trusted library of open source software and components is a daunting task. He said open source is so diverse that confining an organization to a certified library can be constricting.

But Fletcher said he doesn't think a product will be enough to tame the beast. "I just think it's going to be very difficult to accomplish it with software and software alone. Policies and practices have to go with the software ... a mix of software and best practices."

Goulde added "The paradox is a lot of companies are getting into open source to reduce their costs. They're not excited to spend money to manage it."

Ultimately, he said, vendors of commercial software management tools will integrate the management of open source technologies into their products, perhaps by acquiring companies in the open source space. He said there is no reason to manage commercial software and open source software separately.

"At the end of the day it's all still software written in standard programming language," Goulde said. "It makes sense not to have two separate silos to manage these assets. They are just different asset categories that should be managed by the same tool."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy